Static code analysis is the analysis of computer software performed without actually executing the software being analyzed. The term is usually applied to the analysis performed by an automated tool. The analyses performed by these tools vary from those that only consider the behavior of individual statements and declarations to those that include an analysis of the complete source code of a program.
In contrast, dynamic code analysis is executed while a program is in operation. A dynamic test may monitor system memory, functional behavior, response time, and overall performance of the system, as well as other parameters not testable with static code analysis. One common use for code analysis in general is to identify malicious code through a security assurance process. During dynamic code security tests, only the code that is actually executed is subject to the security assurance process. All code portions that are not executed remain untested. Furthermore, without additional effort, there is no information or measurement about the amount of code testing coverage achieved during the dynamic test. While this problem is shared among all dynamic security testing approaches and domains, it is significantly elevated for security testing of client-side script, such as JavaScript, in the web browser. In modern web applications, the browser is often used as a means for client-side composition of code from multiple, heterogeneous sources, each under the control of a different code provider. Hence, standard code coverage measurement mechanisms are not available as they require a single source of code control.